Very recently, a botnet has started severe exploitation of the Drupalgeddon2 on a large scale. The botnet consists of servers and smart devices. It also acts more like a worm. For your reminder, Drupalgeddon2 is a vulnerability that can allow running codes on the website from the URL. Learn more about Drupalgeddon2.

Botnet attacking Drupal sites

Security researchers from Qihoo 360 Netlab and GreyNoise Intelligence have been keeping a sharp look on the botnet. They spotted the shift of the botnet’s target from other vulnerabilities to Drupalgeddon2. The shift took place at the starting of this week. Netlab team named the botnet as Mushtik as the botnet uses the name in many of its payloads.

Mushtik is developed on top of a really old malware strain Tsunami that’s being used for years for creating botnets to infect Linux servers and other Linux-based systems. The hacker(s) initially used Tsunami for DDoS attacks, but thanks to its feature set, they’ve shifted towards exploiting known vulnerabilities.

According to the security researchers, the Tsunami in Mushtik can install XMRig Monero miner, CGMiner or launch a DDoS attack from the infected hosts. Using these 3 payloads, the crooks are making money for themselves (illegally).

Infected hosts act as a worm

Researchers also added that besides using those 3 payloads, the infected sites also start searching for other sites to find more targets to exploit. That’s performed by a scanning module downloaded by the malware.

The module contacts with a list of different control and command servers to get a list of IP addresses for scanning. It scans the IP addresses on pre-defined ports to identify the systems. After identifying the next potential target, it contacts with the main Mushtik C&C servers about the next target.

This type of behavior is quite common as IoT botnets at the present days. However, Mushtik is the first known one that’s using Drupalgeddon2 in its arsenal. According to GreyNoise, this malware is also actively targeting Oracle WebLogic systems.

GreyNoise has detected a sharp increase in opportunistic exploitation of Oracle WebLogic Server, specifically CVE-2017-10271.

~1,200 devices have suddenly started broadly exploiting this vulnerability by issuing exploit requests to the “/wls-wsat/CoordinatorPortType” URL.

— GreyNoise Intelligence (@GreyNoiseIO) April 18, 2018

How to stay secured

For staying secured, web admins are strongly recommended to upgrade the software of their websites as soon as possible. Drupal released urgent patches for both of their product lines – v7.58 and v8.5.1. Once infected, you may at a severe loss. So, patch your system while there’s still time.

The post Drupalgeddon2 is The Next Target of Hackers appeared first on Linux Windows and android Tutorials.

Drupal has released a patch for this severe bug. For every Drupal site owner, it’s mandatory to update their software immediately, meaning right now. The latest Drupal version is 8.5.1. Update as soon as possible. The flaw is so severe that Drupal assigned a security score of 21 out of 25!

Drupal’s unauthenticated RCE flaw

The bug was identified very recently, under the identifier CVE-2018-7600. Using this bug, a hacker could execute any code inside the website, despite against the CMS’ core components. Thus, he could successfully take over the website.

Moreover, the bug was easier to exploit. The hacker didn’t have to register/authenticate on the sites to take it over. All he needed was to access an URL.

Drupal credits Jasper Mattsson, a Drupal security auditing firm Druid employee for identifying this bug in the software.

Although it’s not so severe as Drupalgeddon (CVE-2014-3704, severity score 25/25), the community nicknamed the latest one with Drupalgeddon2.

No proof-of-concept, no attacks detected (yet)

Although the bug was quite severe, there’s no proof-of-concept code available anywhere on the internet. Moreover, there has been no report found where this bug was exploited to take over the website. With the latest patches released, security researchers are digging up the code to see what’s patched up.

However, because of the public disclosure about the bug, Drupal team anticipates that within days, we could see the attempts to exploit this bug on unpatched systems.

Note that Drupal v6.x and v7.x are also infected with the bug. Drupal released individual updates for each of the versions, where v6.x was discontinued in February 2016.

What to do now

If you’re an admin of Drupal website, update your website to the latest edition. If it’s quite difficult to apply the patches with the running website, switch to a temporary HTML edition of your website so that you won’t have to suffer the damage.

Patching must not be ignored. For example, when Drupal’s official website patched their system for Drupalgeddon2, the site was down for around half an hour.

Drupal currently powers around 1 million websites on the internet with the market share of 9%.

For Facebook users, it’s quite important to secure their data. Learn how to secure your FB information.

The post Drupal Fixes Drupalgeddon2 – No More Taking Over Websites appeared first on Linux Windows and android Tutorials.